tomcat (SL7)

* A vulnerability was discovered in the error page mechanism in Tomcat’s
DefaultServlet implementation. A crafted HTTP request could cause
undesired side effects, possibly including the removal or replacement of
the custom error page. (CVE-2017-5664)

* A vulnerability was discovered in Tomcat. When running an untrusted
application under a SecurityManager it was possible, under some
circumstances, for that application to retain references to the request or
response objects and thereby access and/or modify information associated
with another web application. (CVE-2017-5648)
—